How to remove Trojan.Downloader.Tibs.C
THREAT NAME
Trojan.Downloader.Tibs.C
CLEAN INSTRUCTIONS
Restart in Safe Mode and do the following:
1. Delete the following files:
C:\windows\system32\kernels88.exe
C:\Windows\System32\dlh9jkd1q1.exe
C:\Windows\System32\dlh9jkd1q2.exe
C:\Windows\System32\dlh9jkd1q5.exe
C:\Windows\System32\dlh9jkd1q6.exe
C:\Windows\System32\dlh9jkd1q7.exe
C:\Windows\System32\dlh9jkd1q8.exe
C:\Windows\System32\1.dllb
C:\Windows\System32\2.dllb
C:\Windows\System32\3.dllb
C:\Windows\System32\4.dllb
C:\Windows\System32\5.dllb
C:\Windows\System32\6.dllb
C:\Windows\System32\7.dllb
C:\Windows\System32\vx.tll
2. Delete the following registry keys:
NB: Before you edit the registry, please export the keys that you plan to edit, or create a backup of the system.
SOFTWARE\Microsoft\Windows\CurrentVersion\Run - System
SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices - SystemTools
3. Instructions on how to enable task manager can be found here (BullGuard Techguides)
4. Go to Start, Run, type:
netsh firewall reset
and press OK.
SYMPTOMS
1. Presence of the kernels88.exe file in C:\Windows\System32.
2. Increased network activity.
3. Presence of files having the name starting with dlh9jkd1q in C:\Windows\System32.
4. Presence of files having the extension dllb in C:\Windows\System32.
DESCRIPTION
1. This trojan copies itself in the system directory with the name kernels88.exe.
2. It lowers security settings by bypassing the Windows Firewall to allow the malware to connect to the Internet.
3. It tries to download some files that are copied to the system folder and then are executed.
4. It steals and sends information regarding the computer.
5. It sets up some registry keys in order to have itself to run at startup.
6. It disables the Task Manager.
Want to know more about Trojans? Visit Bullguard Security Center
Author:
The BullGuard Team